DDoS: Ellie Mae Hit with Timely AttackOnline Takedown, FFIEC Notice Point to Need for Mitigation
News of a distributed-denial-of-service attackagainst Ellie Mae, which provides core operating systems and other technologies to mortgage originators, came the same week as banking regulators issued a reminder about mitigating the risks associated with such attacks.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Ellie Mae, which has approximately 1,500 clients, confirms it suffered a DDoS attack from March 31 to April 1 that caused sporadic website outages. It described the incident as "a well-formed Web service request from a wide distribution of sources." The company says there's no evidence of any data breach tied to the attack, and that client data and personal borrower data remained secure.
On April 2, the Federal Financial Institutions Examination Council issued statements notifying financial institutions of risks linked to continued DDoS attacks as well as ATM cash-out schemes. In that statement, banking regulators outlined steps institutions are expected to take to mitigate their risks.
Security experts say the news about the attack against Ellie Mae and the notices from the FFIEC point to the need for financial institutions to take a hard look at the risks they face, as well assess their vendor partners' risks.
Commenting on the FFIEC notice, Rodney Joffe, senior vice president and technologist for DDoS mitigation provide Neustar, says: "I can't remember a time when a federal regulator or regulatory body has actually come out with a statement around cybersecurity like this with very, very clear directions,"
DDoS attacks against banking institutions garnered attention in September 2012, when the self-proclaimed hacktivist group known as Izz ad-Din al-Qassam Cyber Fighters began its first phase of attacks against leading U.S. banks. Those attacks continued through the summer of 2013.
While strikes against banking institutions have subsided, the fact that the FFIEC has issued this guidance suggests the threats posed by DDoS are ongoing, Joffe says.
"[Banking institutions] need to go through the recommendations that are provided by the FFIEC," he says. "Banks now need to start looking at those best practices and see how close they come to fulfilling them already."
The statement from regulators also stresses that banking institutions, especially smaller ones, need to consider hiring third parties to help them manage their DDoS mitigation strategies, notes Mike Smith, a security evangelist at online security firm Akamai Technologies.
"What we've seen during the DDoS attacks against financial services over the past couple of years is that the organizations that will survive the best are the ones that have processes, pre-determined risk assessments, and decision criteria for allowing mitigation providers to inspect SSL [secure-sockets-layer] traffic," Smith says.
Ellie Mae Incident
A spokesman for Ellie Mae notes the company uses including Juniper firewalls; real-time monitoring provided through Zenoss, Splunk, Balance and Vsphere; and a staffed 24x7 network monitoring system. However, these systems rely on detecting patterns that were not present in the attacks that took the company's website offline.
"Ellie Mae has engaged a third-party security/threat management firm to aid us in evaluating the data we already have as well as adjusting configuration settings to increase potential detection," the spokesman says.
The Office of the Comptroller of the Currency said in a corresponding statement about DDoS attacks that the FFIEC expects banks to address DDoS readiness as part of their ongoing information security and incident response plans.
Specifically, the OCC notes that banking institutions are expected to monitor incoming traffic to their public websites; activate incident response plans if they suspect a DDoS attack is occurring; and ensure sufficient staffing for the duration of the attack, including the use of previously contracted third-party services.
The OCC also notes that community banks should ensure that their in-house information technology units or service providers are taking appropriate action to mitigate DDoS risks.
The National Credit Union Administration, in a statement provided to Information Security Media Group, says that while DDoS attacks against credit unions have been relatively uncommon, they are, nevertheless, concerning.
"Because this type of attack occurs so infrequently, there is not enough data available to suggest a trend," a spokesman for the agency says. "However, these are serious types of attacks with the potential to inflict significant damage, so it is important for the industry and for the NCUA to remain vigilant."
(News writer Jeffrey Roman contributed to this story.)